Sunday, 27 April 2014

Password hell, why everyone is failing password UX 101

Passwords are a horrible clunky mechanism, however, until all devices have finger print / retina scanner APIs they are still an essential basic security mechanism, that is accepted as a necessary evil by the end user.

There tends to be three basic strategies to website passwords that people adopt.

1. A single password for everything. It is a complex, but easily memorable as you have to type the same one in several times a day.

2. A large number of passwords based on a pattern, perhaps even one per website which includes the website name.

3. Randomly generated passwords stored either in the browser or a key storage like keepass.

From my user testing the first two are most common and some companies even ban the use of the third strategy. It should be possible to see these strategies and understand exactly how users access websites and more importantly how to provide the least friction to their use of the website, but I still see plenty of websites which fail to do so. Causing usability problems right at the start of a user experience is one of the least forgiveable mistakes to make, as it paints the whole product negatively from the outset.

Password box which is not a type='password' input

Current browsers do a lot of extra things automatically if you have an input with a type of password, they offer to save it, they obscure the text being entered and some even offer the ability to click on the box and reveal the obscured text to make sure you typed it in correctly.

I once visited a website that was ahead of its time in one respect, however, on a mobile device it was sadly behind the times. The developer had identified one of the issues with the password box, that obscured text could not be read by the user. Obscuring the text is obviously beneficial and probably welcome in a busy environment, but if you are on your own in a secure environment then it would be nice to be able to reveal the password. To achieve this he used a standard text box and manually obscured the text using Javscript and had a reveal icon on the right side of the box. This worked well in a number of desktop browsers, however, on a mobile device it was horrible. Many mobile keyboards would auto-switch the first letter to a capital unexpectedly because it was just a normal text box. Additionally they may try to auto-correct what you were typing to a real word. This made it very hard to enter a correct password on a mobile device.

Not showing the requirements for the password before entry

Everyone hates entering a password only to be told that it is not good enough and I need to have a minimum of 12 characters without any dictionary words etc.

Not showing the requirements at all

When you thought it was bad to be told after you have entered your password that it is not good enough, imagine how annoying it can be if you are never told the requirements even when you fail to meet them. I recently visited a site where no matter what I tried to enter it told me my password was not complex enough. I even tried the following "90-=Iop[Jkl;" only to be met with "this password does not meet the complexity requirements", well it looks pretty bloody complex to me! After a lot of tries I found out that there was a requirement of 15 character minimum; that is not an easy thing to guess and no user should have to.

Ridiculous requirements for passwords

Your password must be changed every month, it must be at least 20 characters long contain at least 3 of each of the following, lower case, upper... If the password has to be so complex then the end user is not going to remember it. They are likely to write it down which largely defeats the point of having a password.

Not handling complex password

Sadly nice memorable complex passwords fail when the website cannot handle them. I get frustrated that so many websites want numbers and symbols and yet some websites cannot handle symbols in their passwords. This means that you cannot use the first two strategies for password memorisation. 

It is very annoying to be met with "your password cannot contain symbols", but there is something worse. Deezer is one of those sites which cannot handle complex passwords properly, but rather than tell you it cannot cope it simply says your password has been accepted but then fails to log in. I wonder how many free trials which could have lead to paying customers have been abandoned because the user was unable to log in and did not thing to use a much simpler password to acquire a login?

Not Handling Long Passwords

Can you believe that Microsoft's requires 8 characters minimum, but cannot handle a password which is more than 16 characters.

The length of a password really helps reduce the probability of it being cracked. Additionally long passwords are not necessarily hard to remember. 16 characters maximum is too small allowing a large range helps make the passwords much harder to crack by a computer.

Allowing a computer unlimited chances to guess

The main reason why people started imposing restrictions on passwords was to reduce the possibility of a computer "cracking" a users password by entering in millions of potential passwords every few seconds until they were successful. Well if the computer can only have a few guesses before it is prevented from trying again then it is substantially more secure and you should not need to have such arduous restriction on passwords as they can only realistically be crack via social engineering or a more fundamental database level hack.

What should I do then to provide the best UX?

Best practice for passwords are not rocket surgery. Simply aim for the following:

  • Help the user enter complex passwords by providing a dynamic complexity rating. The user wants their password to be complex so help them to do so.
  • Provide help text as to the requirements.
  • Try and provide a decent range of password length, 7-128 should be sufficient for most users.
  • Allow symbols, white space, numbers and letters at any point in the password.
  • Restrict number of attempts to stop simple brute force attacks
  • Only enforce a single level of complexity, if you have prevented brute force then the password does not require massive complexity, just enough to prevent a guess in 4 steps ie one of the following
    • Long password - 18 characters or more
    • Lower and upper case
    • Numbers
    • Symbols
    • Not on the list of 100 most common passwords
  • Provide error text explaining why a password has not been accepted and advise on how to meet the requirements for an accepted password.
At least following these options should preventing you from creating resentful users before they have created an account.

Friday, 25 April 2014

Windows Phone 8.1 Developer Preview Crashing / Unlocking issue resolved

After Updating my Lumia 1020 to Windows Phone Developer Preview version 8.1 I felt the new features were great. However, I encountered what I consider a terrible bug, approximately every few hours my phone would not respond, it could not be opened and would require a soft reset every time in order to gain access.

I believe I have tracked this down to the password lock. After removing the password lock I am no longer experiencing this issue. Clearly no-one at Microsoft tried putting a password on their phone, developer preview or not this is a bug that really should have been high priority and not made through any reasonable QA process.

Still feature wise WP 8.1 is great and if Chrome comes to the platform then I doubt I would leave.

Wednesday, 16 April 2014

Project Ara high end or low end?

I remember many years ago when it was impossible to buy a desktop PC for less than £1500, but you could build one for nearer £900. For many years it was cheaper to buy the components and build your own. Then along came Dell. After a couple of years the price difference was minimal and in some cases Dell was actually cheaper.

The build your own PC became an enthusiast market, either gaming machines or super quiet machines were ordered via their components, the closest most people came to the component market was to buy some extra ram.

So I am very curious to find out what project Ara will bring. Will buying the components allow you to maximise the features you want and save money on the stuff you don't care about? Will it be an enthusiast only product where people build super premium phones which cost a lot more than the current flagships just to get that extra professor boost or new sensor type?

Whenever i look for a new phone i wish i could make a hybrid of several of the current flagships. Right now i wish i could combine the camera and the microphones of the Lumia 1520, with the voice processor of the Motorola X, the self healing LG casing and the battery from the Motorola Razor Maxx and the screen from the Galaxy S5. Perhaps now I will be able to build my dream phone... Or will the project never take flight the way I want it to?

Tuesday, 15 April 2014

What a difference a point release makes!

Windows 8 may only have gained a single point release, but it really is amazing how much is included. While some of the features have been in android and iOS for some time, there are brand new features such as WiFi sense and clever refinements of existing features like Cortana.

WiFi sense is a clever piece of software which shares out your WiFi hotspots with your friends. Of course sadly as most of your friends won't have a Windows phone this isn't very useful, but perhaps on the future it might save you from that annoying what's your WiFi password hunt and then entering a stupidly long code.

My favourite feature is the shape typing, which I am using now to write this. It is fast and accurate and for the first time I feel able to write a long piece of text on my Windows phone.
The notification pull down menu brings WP8.1 in line with android and iOS and even after just a day you can see it is better than live tiles on their own.
The sounds are now split further so that there is a media category separate from the phone ring tone volume. This did not really bother me, but I can understand this features absence could easily irritate a lot of people.
With 8.1 I can easily recommend the lie end Windows phones instead of android devices, however at the high end things start to get more complicated. WP 8.1 is not lacking in apps but some of the big apps are still missing some useful features. For example Deezer on Android is much better than the Windows version, youtube on both iOS and Android is the same but realistically on WP you need to use the browser instead. Gmail is just superior in every way to using the email app.
WP 8.1 is an amazing update, if Google and Microsoft could collaborate more then WP 8.1 would start to look like the best platform.

Thursday, 3 April 2014

Wow Windows Phone 8.1 even better than the rumours!

Obviously I was up to speed on all of the new rumoured features, however, to avoid potential disappointment I was resigning myself to the probability that at least one of the rumours was untrue. Luckily all the features I was looking for have been introduced and more!

  • Swype-like keyboard (Shape Typing)
  • Notification bar (Action Center)
  • Cortana Virtual Assistant

Shape Typing

Swype-like keyboard is probably my most wanted feature. Since switching to Windows Phone I have often been waiting to gain access to a desktop before responding to emails because my typing speed has dropped dramatically. While Swype on Android it felt like I was not far from keyboard speed, the standard MS Keyboard felt like I was just wasting my time even starting to type.

Action Center

It is difficult to explain how nice it is to read all your notifications, body text and all, just from a quick swipe on the lock screen unless you have experienced it in Android, preferably stock Android as Samsung tends to flood the notification bar with tons of widgets restricting how much text can appear. It was low on my list of importance as it is only saving a couple of clicks and barely a second, but every little improvement enhances the overall experience in a way that is difficult to measure.

Cortana Virtual Assistant

I am no Halo fan, I preferred Quake & Team Fortress, however, I am a fan of being able to add quick voice reminders. MS appears to have taken this to a new level by allowing location and people based notifications. Additionally the demonstrated app integration looked impressive and I am curious how well it will work in the field.

I certainly cant wait for WP 8.1 to be released, from my perspective it looks like WP is now clearly superior to iOS and possibly on equal footing with Android. 

Of course the little implementation details are important. I have found Swype superior to the Google keyboard implementation of the same functionality, although Google is catching up with each release Swype is still one step ahead. Additionally Androids notification bar is a little better than iOS in terms of functionality, so I could not really make a judgement until I can see the full implementation in person. 

Tuesday, 1 April 2014

LG the surprise package

I had a look at the blind photo comparison on phonearena. It was interesting to see the differences between the top phones available in terms of there cameras. I felt it was a fight between phone 1 and phone 7. While in some cases the other phones were better overall these appeared to me to be the most consistent.

It was not a big surprise that my top pick was the Lumia 1520, the large camera sensor size and consistently good performance of other Nokia phones is well known, what did surprise me was that my second choice was the LG G2!

It does seem that LG might be making a step up to really challenge Samsung, they have made the last two nexus phones, and the G2 is currently selling at a relatively bargain price compared to most other top of the range phones.

Whats more they have developed self healing plastic and curved displays, rear mounted buttons, as well as what appears to be the best android camera. If they were to up their sensor sizes to match Sony and Samsung and keep the OIS it would appear that they could rule the roost for at least 6 months.

The main downside for LG at the moment is that their phones are not "pretty". Their relatively small bezel does help make it look reasonably high tech but overall the iPhone, HTC One and Sony Z2 all have a more striking appearance. Lets face it, if the phone does not stand out in a store it is not going to out sell Samsung and Apple any time soon.

I am now curious to see what the G3 might bring. It will probably be the most underrated phone of 2014 just as the G2 appears to be the most underrated phone of 2013.

Nokia Lumia 1820s are in the rumour mill too, will WP 8.1 be good enough to start displacing Android users in significant numbers. The rumours of solar powered & top spec phone certainly sounds interesting but realistically appears to be more of a wish list rather than something that could actually be released in 2014.